https://bugs.winehq.org/show_bug.cgi?id=34558
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|UNCONFIRMED |NEW Component|-unknown |ntdll Summary|Alawar launcher fails to |Multiple applications and |start after game has been |games wrapped with |registered |ASProtect 1.4 protection | |scheme fail to start after | |registration (Farm Frenzy | |2, Alawar, FL Studio 11.x | |VSTi 'Slayer2' plugin, | |FORScan) Ever confirmed|0 |1
--- Comment #15 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming. I spent a good day on this nasty thing. Debugging thunks/continuations is not really fun.
In essence ASProtect employs some SEH trickery that suffers from different runtime stack usage by Wine's win32 implementation. Bug 28089 (design problem how Wine implements exception handling/signal stack) is potentially also present here but not the real blocker.
The protection sets up various SEH chains at runtime which work fine. Unfortunately there is a case when the protection code sets up an SEH registration record along with additional metadata at ~ 1KB on stack top (ESP - 0x400). After that, a few calls to win32/native API are made until the new SEH record is made active (fs:[0]).
The problem arises with Wine's 'KERNEL32.VirtualAllocEx' (-> 'ntdll.RtlAllocateHeap') which I traced to consume more than 0x400 bytes until all leaf functions have been executed. One of the leaf calls overwrites/corrupts the previously initialized SEH registration record with local variables, leaving a destroyed SEH chain when the new SEH chain head is installed via 'fs:[0]'.
--- snip --- -=[ ProtectionID v0.6.6.7 DECEMBER]=- (c) 2003-2015 CDKiLLER & TippeX Build 24/12/14-22:48:13 Ready... Scanning -> C:\Program Files\FORScan\FORScan.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 980992 (0EF800h) Byte(s) Compilation TimeStamp : 0x55FF57F8 -> Mon 21st Sep 2015 01:06:00 (GMT) [TimeStamp] 0x55FF57F8 -> Mon 21st Sep 2015 01:06:00 (GMT) | PE Header | - | Offset: 0x00000100 | VA: 0x00400100 | - [File Heuristics] -> Flag #1 : 00000000000000001100000000100010 (0x0000C022) [Entrypoint Section Entropy] : 8.00 (section #0) " " | Size : 0x80C00 (527360) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 7 (0x7) | ImageSize 0x2A7000 (2781184) byte(s) [!] ASProtect SKE v2.72 or higher detected ! [CompilerDetect] -> Borland Delphi (unknown version) - 20% probability - Scan Took : 0.721 Second(s) [0000002D1h (721) tick(s)] [499 of 573 scan(s) done] --- snip ---
$ sha1sum FORScanSetup2.2.7.beta.exe ddeda5bfed7f6875c90a2dbf1397701e2678ca53 FORScanSetup2.2.7.beta.exe
$ du -sh FORScanSetup2.2.7.beta.exe 15M FORScanSetup2.2.7.beta.exe
$ wine --version wine-1.7.51-202-g14dc7e0
Regards